sloth unleashed

Twitter is looking to add another layer of protection to its user authentication. After having at least 250,000 accounts’ passwords compromised in an attack against its service last week, Twitter apparently plans to implement two-factor authentication as an option to help users better protect their accounts—or at least it’s hiring people to help do that.

In a job listing posted by Twitter this week, the company seeks software engineers to develop “user-facing security features, such as multifactor authentication and fraudulent login detection.” When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.

Twitter currently uses OAuth as its authentication protocol via applications (either mobile apps or other Web services), which prevents attackers from recording and replaying session information trying to hijack open user sessions. For direct user authentication, Twitter uses secure socket layer (SSL) encryption to pass user credentials from Web browsers and other Twitter clients.

Those measures protect users’ passwords and sessions from being directly intercepted and taken over in most cases. But they don’t guard against “man-in-the-middle” attacks, where a malicious access point or firewall using an SSL proxy intercepts encrypted Web traffic. Hackers have grabbed users’ Twitter credentials in the past through malicious webpages using cross-site scripting, e-mail “phishing” attacks, and other means. Last August, for example, the Reuters news service had its Twitter feed taken over by pro-Syrian hackers who pulled the Twitter password from the service’s blogging platform…